Security

We take security seriously. Here's exactly how we handle your data and API keys.

API Key Handling

  • API keys are stored as environment variables on the server
  • Keys are never exposed to the client/browser
  • Keys are never stored in databases or logs
  • All API calls are made server-side via Next.js Route Handlers

Chat Data

  • Conversations are not stored in any database
  • Each request is stateless — no persistence between sessions
  • Messages are forwarded to Crane's API for inference only
  • No training on your conversations

Transport Security

  • All traffic served over HTTPS
  • API endpoints are server-side Route Handlers (not client-side)
  • Input validation on all API endpoints

Responsible Disclosure

If you discover a security vulnerability, please email hello@crane.codes with the subject "Security Vulnerability". We'll respond within 48 hours.